In a similar approach to one shown in previous chapters with respect to splitting and/or partitioning the analysis along categorical fields, this can be done with the Count functions. This makes it handy to get many simultaneous event rate analyses at once, accomplished with either the Multi Metric job or the Advanced job UI wizards.

Some common use cases for this are as follows:

• Finding an increase in error messages in a log by error ID or type
• Finding a change in log volume by host; perhaps some configuration was changed
• Determining whether certain products suddenly are selling better or worse than they used to

To accomplish this, the same mechanisms are used. For example, in a Multi Metric job, one can choose a categorical field by which to split the data while using a Count (event rate) function:

This results in the following, where it was determined that only one of the many entities being modeled was actually unusual (the spike in the volume of requests for the airline AAL):

As you can see, it is extremely easy to see volume-based variations across a wide number of unique instances of a categorical field in the data. We can see at a glance which entities are unusual and which are not.